Otto  background

MacOS Ventura Full-Disk Access Bug Fix

ScrapTech: The IT Admin’s Guide to Resourceful Troubleshooting

Connect With Us

Start now, and patch, configure, and control all your endpoints in just 15 minutes.

Troubleshooting. More often than not, that’s the name of the IT game. When you think of some of the greatest troubleshooters of our era, those who rise to the top of the list are usually faced with limited time, limited resources, and high-stakes outcomes. Sound familiar, IT admins? We thought it might.

On that, we mined our minds to come up with a list of the scrappiest, most effective, and most IT-minded troubleshooting heroes out there and one name immediately rose to the top: MacGyver. 

An MVP agent for a global do-good organization, smartypants MacGyver managed to overcome his enemies with his impressive reservoir of tech knowledge – and most of the time he did so with no more than a rubberband and a toothpick. 

Even in the pilot episode of the 1980s series, troubleshooter MacGyver outsmarts a deadly security system to save researchers trapped in a hidden lab. That’s why, internally, we’ve been calling this brand new blog series The MacGyver Series. 

Officially, though, let’s introduce you to ScrapTech: The IT Admin’s Guide to Resourceful Troubleshooting.

A light in the dark: MacOS Ventura Full-Disk Access Bug Fix

As an IT admin, you know bugs and technical issues can arise at any moment. Often, it feels like they leave you in the dark and render your toolstack useless. 

But, this script can be your beacon of light. It’s meant to address a specific bug with MacOS Ventura where apps don't have Full Disk Access permissions enabled and remove your ability to see or manage a device with most other tools. 

The script empowers you to quickly sort affected computers by their OS version and provide clear instructions to users to resolve the issue in a step-by-step format. In the words of Gandalf from Lord of the Rings, this script is "a light to you in dark places, when all other lights go out."

Photo: Gamerant

How does the MacOS Ventura Full-Disk Access Bug Fix work?

Well, let’s dive into a specific scenario:

It’s Patch Tuesday. A lot of Macs in your org have updated their OS to Ventura. Everything seems to be going well until (dunh-dunh-DUNH) disaster strikes! Your Mobile Device Management (MDM) agents report that most of the systems are offline. Not only that, but your anti-virus platform says most of your devices are unreachable. Suddenly, tickets flood in with users who report that most of their apps have stopped working. Yikes!

You do a bit of research and, after some reading, you find the culprit: MacOS Ventura has a common bug where the Full-Disk Access permissions are removed from apps that need them the most, even if installed via MDM. Then, the worst news of all: Due to the permission changes with apps you could normally use to re-deploy these permissions, the only way to resolve the issue is by manually walking each user through removing and re-adding those permissions, or manually going to each computer in person to go through that process on the user’s behalf. 

You don’t have that kind of time. Nor do you have the manpower to pull this off effectively. It’s your dark night of the soul. Until a beam of light appears in the form of a script (what we call a WorkletTM in the Automox platform) that actually functions despite lacking full-disk access permissions. 

With this Worklet, you can send notifications to all affected computers to guide those end users to resolve their problem, as if you are right there beside them guiding them through the process. Once the end users follow these steps, they should be able to get their computers back into a healthy and connected state.

Now let’s go ahead and take a look at how this Worklet actually works:

The MacOS Ventura evaluation script

The first script is an evaluation script. It checks the operating system version of the target computer. It’s designed to work specifically with MacOS Ventura versions 22.0, 22.1.0, and 22.2.0. If the script detects the target computer is running one of these versions, it will output "yes" and exit with a status code of 1. If the evaluation script does not detect one of these versions, it will output "no" and exit with a status code of 0.

#!/bin/bash

osversion=$OSTYPE

if [ $osversion = "darwin22.0" ] || [ $osversion = "darwin22.1.0"] || [ $osversion = "darwin22.2.0"] ;

then echo yes && exit 1

else

echo no && exit 0

fi

The MacOS Ventura remediation script

The second is a remediation script that creates a notification to pop up on the target computer. The notification is designed to inform the user of a bug occurring with MacOS Ventura where certain apps don’t have Full Disk Access permissions enabled. The remediation script sets several variables, such as the notification’s title, the message to be displayed, and various buttons that can be clicked on the notification. For example, the remediation script sets the title to "Ventura Disk Access Bug," the message to inform about the bug and how to give permission to the apps, and the buttons to "Help," "Details," and, "OK."

#!/bin/bash
title="Ventura Disk Access Bug"
message="We have noticed a bug occurring with MacOS Ventura where apps don't have Full Disk Access permissions enabled. You are receiving this message because you are using Ventura OS on your system, and need to manually give permissions for certain apps so they can work properly on your machine.
Click "'"OK"'" to acknowledge and proceed after completing the included instructions, "'"Instructions"'" to see a How-to guide, or "'"Help"'" to if you have outstanding issues following the guide and need to submit a ticket."
button='"Help", "Details", "OK"'
default_button="OK"
button1="Instructions"
button2="Help"
url1="https://<Your-Guide-Document-Here>"
url2="https://<Your-IT-HelpDesk-Here>"
output=$(osascript -e 'display alert "'"${title//\"/\\\"}"'" message "'"${message//\"/\\\"}"'" buttons '{"$button"}' default button "'"$default_button"'" as critical')
loggedinusername=`stat -f '%Su' /dev/console`
function default_browser () {
sudo -u "$loggedinusername" osascript <<-AS
use framework "AppKit"
use AppleScript version "2.4"
use scripting additions
property NSWorkspace : a reference to current application's NSWorkspace
property NSURL : a reference to current application's NSURL
set wurl to NSURL's URLWithString:"https://www.apple.com"
set thisBrowser to (NSWorkspace's sharedWorkspace)'s ¬URLForApplicationToOpenURL:wurl
set appname to (thisBrowser's absoluteString)'s lastPathComponent()'s ¬
stringByDeletingPathExtension() as text
return appname as text
AS
return
}
browser_name=$(echo $(default_browser))
browser=$(echo ${browser_name//'%20'/ })
if [ "$output" == "button returned:$button1" ];
then open -a """$browser""" $url1
exit 0
elif [ "$output" == "button returned:$button2" ];
then open -a """$browser""" $url2
exit 0
else
exit 0
fi

These Worklets can be useful for IT admins in several ways:

  1. The evaluation script can be used to quickly check the OS version of multiple computers in an organization, allowing IT admins to scope this solution to address only the systems affected by the bug.

  2. The remediation script can be used to send out a notification to all affected computers, providing users with clear instructions on how to fix the issue. This can save IT admins time and resources, as they won’t have to manually contact each user individually.

  3. The Worklet also provides a link for further assistance for users which can be useful for IT admins to manage their support tickets.

Get scrappy with MacOS Ventura

Overall, this script can be a useful tool for IT admins to quickly notify end-users and guide them to fix issues on MacOS Ventura computers in their organization.

So, the next time you feel the walls closing in around you and darkness cascading across your IT environment, remember the rays of light that come in the form of Worklets. Harness their power and, in this case, send notifications to all affected computers and help end users resolve their problems. 

And if your users are facing a different set of problematic circumstances, there’s probably a Worklet for that, too. It’s easy. Worklets = the force. So…

And that, my friends, is what we call a callback. Til next time!

Dive deeper into this topic

loading...